As we have mentioned earlier, the General Data Protection Regulation is a law made to give the data subjects (citizens) more control over their data. The data subjects have been given the right to be informed, to access their data, to rectification, to erasure, to restrict processing, to data portability, to object and to restrict automated decisions and profiling. Articles 12–23 of General Data Protection Regulation deals with the various rights of data subjects. Data subjects have been given 8 fundamental rights under GDPR. In short, the data subject now holds all the cards. However, there is no point in having great cards if you don’t know how to play the game.
STEP 1: Know whether you are governed by the law.
The first and foremost question that begs to be answered is whether one is protected under GDPR. To be able to effectively answer this, one should know the following:
- GDPR is location based. It protects the individuals physically present within the territory European Union only.
- This law is not applicable only to citizens of the European Union.
- GDPR does not protect the rights of a European Union citizen who is physically outside the territory of European Union and whose data at that time is being processed by an outside controller too.
- GDPR protects the rights of non-EU citizens who may be in a country of the European Union for the purposes of work, travel, education, etc. if his data is being processed by a European Union based controller or processor.
STEP 2: Know your rights.
Now that you have figured out whether you are governed by this law or not, the second step for you as data subjects is to know your rights so as to know your powers. It’s always easy to click on the “I agree” button of the “Terms and conditions” page of every website without bothering to read what all have you consented to. That is where you lose half the battle. Some might argue that agreeing to the terms and conditions is inevitable.Well, not anymore. You have the right to be informed which would tell you exactly why is your data being processed. Add to this the right to access which would give you more control over the processing of your data and in case you are not happy with the way a company is processing your data you can restrict the processing of your data. You see, you are given the power to know how your data is being processed, so why don’t you use the power judiciously? The Regulation makes it abundantly clear that data cannot be processed without the consent of the data subjects. So the data controllers will rather conveniently sneak in the consent request in the terms and conditions or the disclaimers that one chooses to ignore. So be aware of what you are consenting to.
As a data subject, you have been granted the following rights under GDPR:
- The right to access your personal data: You can question the data controller about the processing of your data. You can now ask a data controller to give you access to all your data. This means you have a right to know the purposes of the processing, the period for which data shall be stored by the data controller, the source from where the data controller may have received your data, who all have access to your personal data, whether it has been shared with a third party or an international organisation, etc. You are only entitled to your own personal data, and not to information relating to other people, unless you are authorised to act on behalf of someone.
- The right to rectify your personal data: In case your personal data that is being processed is inaccurate, then the data controllers are obligated to remedy the defect. GDPR does not define the word ‘accurate’. However, the Data Protection Act, 2018 does say that ‘inaccurate’ means “incorrect or misleading as to any matter of fact”.
- The right to be forgotten: This is a wonderful right that has been granted to data subjects. You no longer have to worry about your personal data being kept in storage by various companies so as to be used whenever they want. You now have the right to request erasure of your personal data from a company’s database.
- The right to restriction of processing: Simply put, GDPR gives you the right to limit the processing of your personal data. You don’t want the company to flood your email account with regular spam emails telling you about offers that you have no interest but at the same time you don’t want to be forgotten, well you can restrict the purpose for which your data may be processed.
- The right to be informed: In general, GDPR directs controllers to inform data subjects on several matters. Providing clear and correct information is a key duty in many regards. Simply put, GDPR wants consumers to know because if you don’t know you can’t decide, right? However, that’s not it, data controllers also have to inform the data recipients about any rectification, erasure or restriction request you may have made. So now you don’t have to separately request any third party to rectify or erase your data or to restrict its processing, it is the duty of the data controller.
- The right to data portability: You can now obtain data that a data controller has and either store it for personal use or transmit it to another data controller.
- The right to object: As per this right, you can now object to the processing of your data by a data controller. This, however, is not an absolute right and it applies only in certain circumstances. When the processing of data falls in the category of direct marketing you can object at any time. In case the data is processed based on public or legitimate interests, you can object only if the data controller fails to demonstrate that it has a compelling legitimate interest to process the data that override the data subject’s rights and freedoms. However, in case your data is being processed for research or statistical purposes, you may not be able to object if the research is necessary for the performance of a task carried out in the public interest.
- The right to not be subjected to a decision based solely on automated processing, including profiling, which may produce legal effects concerning you or affect you: Automated individual decision-making is a decision made by automated means without any human involvement. For example, an online decision to award a loan or a recruitment aptitude test which uses pre-programmed algorithms and criteria. GDPR protects you against the risk of a potentially damaging decision that may be taken without human intervention.
STEP3: Know how to exercise your rights.
The data subject can exercise his rights by sending a request to the data controller. The data controller is obligated to respond to such a request within one month which may be extended in certain circumstances. However, the period of response cannot exceed three months. As a data subject one should ensure that he is aware of how and for what purposes is his data being processed. Has it ever happened to you that you enter a coffee shop and while paying the bill, the cashier asks for your phone number or email so that you apprised of new offers, you provide him with the details and regret it after a week when you are flooded with irrelevant messages? Well, you can take control of the situation and request for erasure of your data or restriction of processing.
STEP 4: Know what to do in case of violation of your rights
A data subject can complain to the Data Protection Officer about any real or potential breach of personal data. If the Data Protection Officer fails to resolve the complaint, the data subject should raise the issue before the Supervisory Authority. A complaint may be raised if the data subject believes that his rights have been infringed, for instance:
- an excessive amount of his personal data is being collected without specifying the purpose;
- he has been refused access to his personal data;
- he has been refused the right to rectify inaccurate or incomplete personal data;
- his personal data has been shared with third parties without his consent;
- he is refused the right to block or erase inaccurate or irrelevant personal data about himself;
- his personal data is being processed illegally.
Like we had said before, the data subject holds all the cards. So they are free to decide how will they proceed further. Now that we have provided some insight into how can the data subjects make the most of this regulation, in the next article we will deal with how can technology assist the data subjects to gain more control over their data.